Introduction
When you're managing infrastructure using Terraform, you expect your setup to be exactly the way it's written in your code. But over time, things can get messy without your knowledge.
Maybe someone manually tweaks something in the AWS console. Or maybe a cloud service updates an attribute you didn’t expect. These kinds of silent changes are known as infrastructure drift.
Usually, we rely on terraform plan to catch these. But here's the problem:
Point to Remember:
terraform plan only compares the current state file with your configuration. It doesn’t always check what’s really deployed in your cloud account.
So if something has changed outside of Terraform and your state file hasn’t been updated or refreshed, it might go completely unnoticed.
Why terraform plan isn't always Enough ?!
Let’s break this down:
It checks what you think is deployed (from your state file)
It compares that with your Terraform configuration (your
.tffiles)But it doesn’t verify what’s actually running in your cloud provider unless you manually refresh the state
What we can infer from the above points is as follows:
If a resource was deleted manually, Terraform won’t always know.
If someone updated a setting directly in AWS, that change could be missed.
If your state file is outdated or corrupted, the plan won’t catch it.
In short, terraform plan isn’t foolproof for detecting real-world drift.
Tools That Go Beyond the State File
Thankfully, there are tools designed specifically to help with this. Let’s look at two solid options: DriftCTL and Infracost.
1. DriftCTL: A Tool Built for Drift Detection
DriftCTL is an open-source tool that checks your actual cloud infrastructure and compares it directly with your Terraform configuration.
It doesn’t rely on the state file. Instead, it reads what’s really there in your AWS account and tells you what’s different from your code.
Note: Driftctl Installation Link (If not working for any case)
How it works:
Connects to your cloud provider (like AWS)
Reads your
.tffilesHighlights resources that are missing, changed, or unmanaged
Example:
Let’s say you want to check for drift in your Terraform project:
driftctl scan --from tfdir=. This will show a report of any mismatches it finds.
You might see something like:
An IAM policy that was changed manually
An S3 bucket that exists but isn’t managed by Terraform
A resource that your code expects but has been deleted
This is exactly the kind of information that terraform plan might miss.
2. Infracost: Known for Cost, Helpful for Drift
Infracost is mainly used to estimate how much your infrastructure will cost before you apply changes. But it also has a diff mode that can be handy for spotting unexpected changes.
When you run:
infracost diff --path=. It shows the differences between the planned resources and what's already in the cloud. While it’s designed to show cost changes, it can also alert you to potential drifts like instance type changes or unexpected scaling.
Infracost is not a full drift detection tool like DriftCTL, but it can still give you useful signals, especially in CI/CD pipelines.
Automating Drift Checks
We don’t have to run these tools manually every week, it can be automated.
For example, using GitHub Actions or a simple cron job, you can schedule driftctl scan to run daily or weekly and notify your team if something’s out of place.
Here’s a basic example using GitHub Actions:
- name: Run DriftCTL
run: |
curl -sL https://github.com/snyk/driftctl/releases/latest/download/driftctl_linux_amd64.zip -o driftctl.zip
unzip driftctl.zip
./driftctl scan --from tfdir=. --output json > drift_report.json
For using it along with a cronjob a custom script can be configured
# Adding the filename as run_driftctl.sh
#!/bin/bash
# Set variables for your Terraform directory or state file location
TF_DIR="/path/to/your/terraform/code" # Change this to your actual path
OUTPUT_DIR="/path/to/output/dir" # Location where drift report will be stored
# Run driftctl scan against your Terraform directory
driftctl scan --from tfdir=$TF_DIR --output json > $OUTPUT_DIR/drift_report_$(date +'%Y-%m-%d_%H-%M-%S').json
# Optionally, send an alert if drift is detected (simple example: checking for drifted resources)
if grep -q "drifted resources" $OUTPUT_DIR/drift_report*.json; then
echo "Drift detected! Please check the drift report." | mail -s "Terraform Drift Alert" [email protected]
fi
While making the script executable it can be tagged along with the Cronjob as stated below
# Add the script onto the Crontab
crontab -e
# Add it like [Run at 3 am each Day]
0 3 * * * /path/to/run_driftctl.shTips to Prevent and Manage Drift
Use cloud provider IAM policies to limit manual changes
Set up regular drift detection jobs
Tag all Terraform-managed resources clearly
Enable cloud audit logging
Educate team about the risks of changing infrastructure outside of code
Congratulations—you made it till here!! Stay ahead; subscribe to the EzyInfra Knowledge Base for more DevOps wisdom.
Conclusion
Drift happens. No matter how careful you are, someone might tweak something outside Terraform—or a service might auto-update something you weren’t expecting.
Relying on terraform plan is a good start, but it’s not enough. By using tools like DriftCTL or even Infracost’s diff mode, you can get a clearer picture of what’s really running in your cloud environment.
Keeping your infrastructure aligned with your code means fewer surprises, less downtime, and more confidence in your deployments.
EzyInfra.dev – Expert DevOps & Infrastructure consulting! We help you set up, optimize, and manage cloud (AWS, GCP) and Kubernetes infrastructure—efficiently and cost-effectively. Need a strategy? Get a free consultation now!
Share this post